diff --git a/.snpcc_canary b/.snpcc_canary index 4ee1c2fe9d6b..4f8925b59ebe 100644 --- a/.snpcc_canary +++ b/.snpcc_canary @@ -4,4 +4,4 @@ /-xXx--//-----x=x--/-xXx--/---x---->>>--/ ... /\/\d(-_-)b/\/\ ----- \ No newline at end of file +----vmpl \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 14878b4f0f7e..9d666ea52a2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [6.0.0-dev3] + +[6.0.0-dev3]: https://github.com/microsoft/CCF/releases/tag/6.0.0-dev3 + +### Changed + +- Set VMPL value when creating SNP attestations, and check VMPL value is in guest range when verifiying attestation, since recent [updates allow host-initiated attestations](https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/programmer-references/56860.pdf) (#6583). + ## [6.0.0-dev2] [6.0.0-dev2]: https://github.com/microsoft/CCF/releases/tag/6.0.0-dev2 diff --git a/include/ccf/pal/attestation.h b/include/ccf/pal/attestation.h index 4ea93ae31fe0..d0128f5fe4f9 100644 --- a/include/ccf/pal/attestation.h +++ b/include/ccf/pal/attestation.h @@ -75,6 +75,20 @@ namespace ccf::pal fmt::format("SEV-SNP: Mask chip key must not be set")); } + // Introduced in + // https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/programmer-references/56860.pdf + // The guest sets the VMPL field to a value from 0 thru 3 which indicates a + // request from the guest. For a Guest requested attestation report this + // field will contain the value (0-3). A Host requested attestation report + // will have a value of 0xffffffff. CCF current always sets VMPL to 0, and + // rejects non-guest values. + if (quote.vmpl > 3) + { + throw std::logic_error(fmt::format( + "SEV-SNP: VMPL for guest attestations must be in 0-3 range, not {}", + quote.vmpl)); + } + report_data = SnpAttestationReportData(quote.report_data); measurement = SnpAttestationMeasurement(quote.measurement); diff --git a/include/ccf/pal/snp_ioctl5.h b/include/ccf/pal/snp_ioctl5.h index 830bd79b12af..7bad5ae89794 100644 --- a/include/ccf/pal/snp_ioctl5.h +++ b/include/ccf/pal/snp_ioctl5.h @@ -56,7 +56,7 @@ namespace ccf::pal::snp::ioctl5 struct AttestationReq { uint8_t report_data[snp_attestation_report_data_size]; - uint32_t vmpl; + uint32_t vmpl = 0; uint8_t reserved[28]; }; diff --git a/include/ccf/pal/snp_ioctl6.h b/include/ccf/pal/snp_ioctl6.h index cc73bb9ce369..3a765ce95bc0 100644 --- a/include/ccf/pal/snp_ioctl6.h +++ b/include/ccf/pal/snp_ioctl6.h @@ -23,7 +23,7 @@ namespace ccf::pal::snp::ioctl6 struct AttestationReq { uint8_t report_data[snp_attestation_report_data_size]; - uint32_t vmpl; + uint32_t vmpl = 0; uint8_t reserved[28]; // needs to be zero }; // aka snp_report_req in (linux) include/uapi/linux/sev-guest.h diff --git a/python/pyproject.toml b/python/pyproject.toml index 01353f9d6e5b..b8fadadf3d89 100644 --- a/python/pyproject.toml +++ b/python/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "ccf" -version = "6.0.0-dev2" +version = "6.0.0-dev3" authors = [ { name="CCF Team", email="CCF-Sec@microsoft.com" }, ]